AbleToTrain by Willing & Able

Social engineering guide

People make mistakes. This is one of the most important battles faced by cybersecurity professionals around the world. Even with advanced security tools, humans are weakly connected. Cyber actors exploit this vulnerability to manipulate people to reveal credentials and other sensitive data.

It’s true that we are all making mistakes, but we can try to stay one step ahead of these attackers in order to identify and counter the various scams and tricks they have. .. The best way to avoid being the target of social engineering is to understand how it works.

In cybersecurity, social engineering is a technique for accessing sensitive data by manipulating human psychology rather than using advanced hacking techniques. Instead of exploiting a system vulnerability, an attacker calls an employee or sends a phishing email spoofing a legitimate source.

The term “social engineering” was coined in the 1990s with the help of the world’s most famous hacker, Kelvin Mitnick, as explained by CNN and Fox News. However, this concept has been around for decades.

How social engineering works

Like other cyber threats, social engineering attacks come in many forms. Understanding how they work is the best way to mitigate their risks. There are several ways social engineers can exploit human weaknesses.

A cyber attacker can trick you into leaving the door open or downloading malicious content that puts your network resources at risk. There are four steps to a successful social engineering attack:

Preparation: In this phase, a social engineer collects information about the target. Social media, phone calls, emails, and text messages are common methods. Intrusion: In the intrusion phase, cybercriminals impersonate a legitimate source and approach the target by authenticating themselves with the data collected about the victim.

Exploitation: Here, a attacker manipulates a user to reveal sensitive information that can be used to perform an attack, such as login credentials, account details, contact information, and payment methods.

Withdrawal: In this final stage, the social engineer or cyber actor will stop communicating with the victim, launch an attack and disappear. The time it takes to execute such a plan depends on the strength of the social engineering attack. It can last from days to months. Anyway, knowing what social engineers want and what tactics they are using is a great way to prevent social engineering.

What social engineers want

Now that you know what a social engineering attack is, let’s dig deeper into the thinking of social engineers. These hackers aim to obtain important information that can be used to prepare for theft of personal information, financial gain, and even more targeted attacks. Installing malicious programs to access your system, account, or personal information is a common tactic.

Information that is valuable to social engineer hackers include:

  • Account numbers

  • Login details

  • Personal Identifiable Informations (PII)

  • Access cards and identity badges

  • Computer system information

  • Server and network information

How Does Social Engineering Affect an Organization? The impact of social engineering attacks on an organization can be devastating. It can tarnish your reputation, harm professional relationships, and reduce client trust.

Besides that, social engineering assaults can cause severe financial loss, disruption in operations, and diminished business productivity. Because of these potentially catastrophic effects on business continuity, knowing how to identify, prevent, and counteract social engineering is vital. Implementing good inbound and outbound security can help monitor traffic for suspicious user activity, unusual domains and emails, and massive movement of confidential data.

Social Engineering Tactics to Look Out For

There are several manipulation tactics social engineers use to achieve their devious goals. Identifying these techniques is critical to prevent your sensitive information from getting into the wrong hands. Below are some tactics used by social engineer attackers:

Connecting on the Emotional Level – Humans are emotional beings and they feel pity when people tell touching stories. Social engineers often create stories or scenarios to convince victims to reveal valuable information.

Use a disputation that might deceive you-“I need to enter the building because I need to meet John.” Sounds like a good reason at first. But think about it. That doesn’t mean anything. If the person is not allowed to enter the building, the explanation that he is meeting John is incorrect. But the word “because” sounds like the right reason. Gifts and Favors-It is human nature that everyone loves gifts and seeks to return tenderness. Attackers can use it to gain access to sensitive information or break into office buildings. Remember: free stuff is always part of baiting. Reciprocity and Liking – Social engineers do all in their power to appear likable. Once they`ve covered this aspect with the victim, it`s a lot easier getting their target to reciprocate their “kindness.”

Commitment and Consistency – People always want to show commitment to relationships. Social engineers can take advantage of this human nature by creating small commitments (not necessarily romantic). Even giving out your name could be perceived as a trigger to consistency. Authority and Social Proof – Everyone has someone that they look up to. If a beauty blogger says an eye cream helps, you`ll buy it, right? On the other hand, many people on the internet seek a sense of belonging. Once cybercriminals recognize these vulnerabilities, they can leverage both to establish themselves in the eyes of the victim. Scarcity and Urgency – Social engineers create a sense of urgency so that victims won`t have time to think things through. If you receive an email requesting an urgent response, we recommend that you carefully analyze the situation. You can ask the competent authority to confirm this before taking any action.

Social Engineering Attack Types

Several social engineering tactics are available depending on the medium of the attack. To avoid a social engineering attack, organizations must understand what it is and how it targets them. Below are some common social engineering attack types:


The cyberactor designs a fake support portal or website of a reputable company and sends the links to their targets via email to trick them into revealing sensitive information.

Angler Phishing

Angler Phishing is a subset of phishing that targets social media accounts. The attackers spoof customer support accounts of top companies to deceive and convince users to give out credential logins and other critical data.

Spear phishing

A spear phishing attack is a social engineering assault that targets specific companies or individuals. The attacker takes extra time gathering information about their target to make the scam genuine. The end goal is to steal sensitive data.

Whaling/CEO Fraud

Whaling or CEO fraud is a phishing attack that targets top executives or seniorlevel employees of companies and government agencies. An attacker could spoof the company’s CEO’s email and then send an email to an employee requesting an urgent transfer or sensitive information.

419 / Prince of Nigeria / Pre-scam

The 419 / Nigerian Prince / Advancefee scam is a social engineering tactic used by attackers to trick victims into prepaid. In return, the attacker promises the victim a large amount of payment or percentage of the money.


Scareware is malicious and deceptive software designed to trick computer users into accessing infected websites. Attacks can occur in the form of advertisements or pop-ups from legitimate antivirus companies that inform you that your computer is infected with a virus. It scares users into paying a fee to solve the security issue.

Tabnabbing/Reverse Tabnabbing

Tabnabbing is a social engineering tactic that attackers use to manipulate inactive web pages. It allows a malicious webpage to redirect a legitimate site to the attacker`s page. Like other social engineering tactics, the aim is to trick users into submitting their credential details.


Spam refers to unwanted messages sent to users in bulk, typically for advertisement purposes. However, cybercriminals use it to send messages containing deceptive links, incentives, or offers. Opening such emails can infect your system or download ransomware to your computer.

Honey trap

Honey traps are a fraudulent tactic that uses romantic or intimate relationships for personal or financial gain. In most cases, this attack involves using deceptive dating sites to identify victims, steal money, and obtain or access sensitive information.

BEC (Business Email Infringement)

Business Email Compromise (BEC) is a phishing scheme in which cybercriminals use real or fake business accounts to scam companies. Attackers disguise themselves as trusted sources (for example, the CEO) to trick employees into making large transfers or providing critical data that can be used for further attacks.


Farming, a combination of phishing and farming, is a social engineering tactic that redirects users of a particular website to a fake malicious version. The purpose is to trick them into sending access data.

Email hacking

Email hacking or email hijacking is a cyber threat that hackers use to gain unauthorized access to their email accounts. The goal is to steal your information in order to commit fraud. An attacker could send a malicious email to all contacts. This is usually the starting point for spoofing and account takeover.

A jumble of access

Online social engineering tactics are very diverse, but what about real social engineering? Access tailgating is a tactic used by an attacker to access a building or a restricted area within the building. Attackers use a variety of tactics to carry out this attack. B. Ask someone to grab the door or pretend to access it.


Baiting is a tactic used by scammers to trick users into giving up personal and financial information in return. For example, if you click a link and fill out a survey form, you may receive an email offering a gift card.

DNS spoofing

DNS spoofing is an attack that modifies a domain name record to redirect a user to a malicious website that resembles the intended target. The attacker then prompts the victim to log in and gives them the opportunity to steal their credentials.


Pretexting is a social engineering attack designed to trick victims into exposing sensitive information. The attacker creates a forged or forged scenario, pretending to be a legitimate or known source. This attack allows a cyber attacker to impersonate a sales representative or delivery person to physically access data.

Physical injury

Physical security breaches include the physical theft of sensitive documents and other valuables such as storage drives and computers. Physical injuries are caused by unauthorized entry into the building.

Watering hole attack

A watering hole attack is a cyber threat that targets a specific user group by infecting a group member’s website. The attacker aims to infect the victim’s computer and gain access to critical network resources.

Quid Pro Quo

Quid Pro Quo is another social engineering technique in which an attacker makes a false promise to trick a victim into revealing sensitive information. For example, you may receive a call from a trusted service provider or someone disguised as an IT support representative.

Diversion theft

Diversion theft is an offline and online cyberattack in which an attacker hijacks cargo and reroutes it to the wrong location. Fraudsters also use this tactic to trick victims into revealing sensitive information.

How to prevent social engineering attacks

Social engineering can happen to anyone, so everyone needs to learn how to avoid social engineering scams. However, it also poses a serious threat to corporate security. As a core component of cybersecurity planning, it is important to prioritize how to prevent social engineering.